Ok, thanks for your prompt response on that...
So, I tested your scenario out in a Splunk Cloud instance - creating a custom admin role, assigning no inheritance, assigning specific capabilities (1-for-1 match of default admin role capabilities), and selecting "All internal indexes" under "Indexes searched by default" and "Indexes" sections. Then, I created a new user and assigned that user the custom_admin role.
After saving it, I was able to login as the user assigned to the custom_admin role and successfully receive results from a search of "index=_*".
I'm posting my authorize.conf below (kinda lengthy) - compare this list to your authorize.conf, add any capabilities missing from your custom admin role to your role. You should be able to find yours under $SPLUNK_DB/etc/system/local/authorize.conf.
Also, if this doesn't work for you, you may want to at least setup inheritance from the "user" or "power" role.
[role_custom_admin]
accelerate_datamodel = enabled
accelerate_search = enabled
admin_all_objects = enabled
can_own_notable_events = enabled
change_authentication = enabled
create_external_ticket = enabled
cumulativeRTSrchJobsQuota = 400
cumulativeSrchJobsQuota = 200
edit_correlationsearches = enabled
edit_deployment_client = enabled
edit_deployment_server = enabled
edit_dist_peer = enabled
edit_forwarders = enabled
edit_httpauths = enabled
edit_input_defaults = enabled
edit_log_review_settings = enabled
edit_modinput_threatlist = enabled
edit_modinput_web_ping = enabled
edit_monitor = enabled
edit_notable_events = enabled
edit_per_panel_filters = enabled
edit_postprocess = enabled
edit_reviewstatuses = enabled
edit_roles = enabled
edit_scripted = enabled
edit_search_head_clustering = enabled
edit_search_scheduler = enabled
edit_search_server = enabled
edit_server = enabled
edit_sourcetypes = enabled
edit_splunktcp = enabled
edit_splunktcp_ssl = enabled
edit_suppressions = enabled
edit_tcp = enabled
edit_token_http = enabled
edit_udp = enabled
edit_user = enabled
edit_view_html = enabled
edit_web_settings = enabled
embed_report = enabled
get_diag = enabled
get_metadata = enabled
get_typeahead = enabled
indexes_edit = enabled
input_file = enabled
license_edit = enabled
license_tab = enabled
list_deployment_client = enabled
list_deployment_server = enabled
list_forwarders = enabled
list_httpauths = enabled
list_search_head_clustering = enabled
list_search_scheduler = enabled
output_file = enabled
pattern_detect = enabled
request_remote_tok = enabled
rest_apps_management = disabled
rest_apps_view = disabled
rest_properties_get = disabled
rest_properties_set = disabled
restart_splunkd = enabled
rtSrchJobsQuota = 100
rtsearch = enabled
run_debug_commands = enabled
schedule_search = enabled
search = enabled
srchDiskQuota = 25000
srchIndexesAllowed = ;_
srchIndexesDefault = ;_
srchJobsQuota = 50
srchMaxTime = 0
srchTimeWin = 0
web_debug = enabled
... View more